Re: Never use absolute URIs with EasySSLProtocolSocketFactory

Mon, 05 Apr 2010 03:16:08 -0700 

On Mon, 2010-04-05 at 10:50 +0200, Marcel Stör wrote:
> We're using HttpClient for an Eclipse plugin. To support self-signed 
> certificates we also use EasySSLProtocolSocketFactory. 
> 
> Hence, we modify the standard HttpClient HostConfiguration instance like so:
> 
> ...
> if (config.isAllowSelfSignedCertificates()) {
>       ProtocolSocketFactory factory = new EasySSLProtocolSocketFactory();
>       try {
>         URI uri = new URI(config.getBaseUrl());
>         int port = uri.getPort();
>         if (port == -1) {
>           port = 443;
>         }
>         Protocol easyHttps = new Protocol(uri.getScheme(), factory, port);
>         hostConfiguration.setHost(uri.getHost(), port, easyHttps);
>       } catch (URISyntaxException e) {
>         throw new IOException("could not parse URI " + config.getBaseUrl(), 
> e);
>       }
>     }
> ...
> 
> While issuing requests agains an absolute URI, however, I got the dreaded 
> "javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target". This first left me puzzled as 
> I explicitly use EasySSLProtocolSocketFactory to get around this problem.
> 
> I found that the HttpClient has the following code in its executeMethod() 
> method:
> 
> ...
>       if (hostconfig == defaulthostconfig || uri.isAbsoluteURI()) {
>           // make a deep copy of the host defaults
>           hostconfig = (HostConfiguration) hostconfig.clone();
>           if (uri.isAbsoluteURI()) {
>               hostconfig.setHost(uri);
>           }
>       }
> ...
> 
> So, my host config is cloned.
> 
> Since the so called deep copy isn't a proper deep copy the copy's protocol's 
> socket factory is no longer EasySSLProtocolSocketFactory but the standard 
> SSLProtocolSocketFactory instead!
> 
> Is this a known issue or am I misunderstanding something?
> 

This is a well known and documented peculiarity of the 3.x API. One MUST
use relative request URIs with a custom HostConfiguration.

Please consider upgrading to HttpClient 4.0 which does not have this
limitation.

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to